idnits 2.17.1 draft-ietf-tcpm-converters-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([This-RFC]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (June 18, 2019) is 1773 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Missing Reference: 'This-RFC' is mentioned on line 1463, but not defined ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Obsolete normative reference: RFC 6824 (Obsoleted by RFC 8684) == Outdated reference: A later version (-03) exists of draft-boucadair-tcpm-dhc-converter-02 == Outdated reference: A later version (-11) exists of draft-olteanu-intarea-socks-6-06 -- Obsolete informational reference (is this intentional?): RFC 1323 (Obsoleted by RFC 7323) Summary: 3 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TCPM Working Group O. Bonaventure, Ed. 3 Internet-Draft Tessares 4 Intended status: Experimental M. Boucadair, Ed. 5 Expires: December 20, 2019 Orange 6 S. Gundavelli 7 Cisco 8 S. Seo 9 Korea Telecom 10 B. Hesmans 11 Tessares 12 June 18, 2019 14 0-RTT TCP Convert Protocol 15 draft-ietf-tcpm-converters-08 17 Abstract 19 This document specifies an application proxy, called Transport 20 Converter, to assist the deployment of TCP extensions such as 21 Multipath TCP. This proxy is designed to avoid inducing extra delay 22 when involved in a network-assisted connection (that is, 0-RTT). 24 This specification assumes an explicit model, where the proxy is 25 explicitly configured on hosts. 27 -- Editorial Note (To be removed by RFC Editor) 29 Please update these statements with the RFC number to be assigned to 30 this document: [This-RFC] 32 Please update TBA statements with the port number to be assigned to 33 the 0-RTT TCP Convert Protocol. 35 Status of This Memo 37 This Internet-Draft is submitted in full conformance with the 38 provisions of BCP 78 and BCP 79. 40 Internet-Drafts are working documents of the Internet Engineering 41 Task Force (IETF). Note that other groups may also distribute 42 working documents as Internet-Drafts. The list of current Internet- 43 Drafts is at https://datatracker.ietf.org/drafts/current/. 45 Internet-Drafts are draft documents valid for a maximum of six months 46 and may be updated, replaced, or obsoleted by other documents at any 47 time. It is inappropriate to use Internet-Drafts as reference 48 material or to cite them other than as "work in progress." 49 This Internet-Draft will expire on December 20, 2019. 51 Copyright Notice 53 Copyright (c) 2019 IETF Trust and the persons identified as the 54 document authors. All rights reserved. 56 This document is subject to BCP 78 and the IETF Trust's Legal 57 Provisions Relating to IETF Documents 58 (https://trustee.ietf.org/license-info) in effect on the date of 59 publication of this document. Please review these documents 60 carefully, as they describe your rights and restrictions with respect 61 to this document. Code Components extracted from this document must 62 include Simplified BSD License text as described in Section 4.e of 63 the Trust Legal Provisions and are provided without warranty as 64 described in the Simplified BSD License. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 69 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 5 70 3. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 6 71 3.1. Functional Elements . . . . . . . . . . . . . . . . . . . 6 72 3.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 8 73 3.3. Sample Examples of Outgoing Converter-Assisted Multipath 74 TCP Connections . . . . . . . . . . . . . . . . . . . . . 11 75 3.4. Sample Example of Incoming Converter-Assisted Multipath 76 TCP Connection . . . . . . . . . . . . . . . . . . . . . 13 77 4. The Convert Protocol (Convert) . . . . . . . . . . . . . . . 14 78 4.1. The Convert Fixed Header . . . . . . . . . . . . . . . . 14 79 4.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . . . 15 80 4.2.1. Generic Convert TLV Format . . . . . . . . . . . . . 15 81 4.2.2. Summary of Supported Convert TLVs . . . . . . . . . . 16 82 4.2.3. The Info TLV . . . . . . . . . . . . . . . . . . . . 17 83 4.2.4. Supported TCP Extensions TLV . . . . . . . . . . . . 17 84 4.2.5. Connect TLV . . . . . . . . . . . . . . . . . . . . . 18 85 4.2.6. Extended TCP Header TLV . . . . . . . . . . . . . . . 20 86 4.2.7. The Cookie TLV . . . . . . . . . . . . . . . . . . . 20 87 4.2.8. Error TLV . . . . . . . . . . . . . . . . . . . . . . 21 88 5. Compatibility of Specific TCP Options with the Conversion 89 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 90 5.1. Base TCP Options . . . . . . . . . . . . . . . . . . . . 24 91 5.2. Window Scale (WS) . . . . . . . . . . . . . . . . . . . . 25 92 5.3. Selective Acknowledgements . . . . . . . . . . . . . . . 25 93 5.4. Timestamp . . . . . . . . . . . . . . . . . . . . . . . . 26 94 5.5. Multipath TCP . . . . . . . . . . . . . . . . . . . . . . 26 95 5.6. TCP Fast Open . . . . . . . . . . . . . . . . . . . . . . 26 96 5.7. TCP User Timeout . . . . . . . . . . . . . . . . . . . . 27 97 5.8. TCP-AO . . . . . . . . . . . . . . . . . . . . . . . . . 27 98 5.9. TCP Experimental Options . . . . . . . . . . . . . . . . 27 99 6. Interactions with Middleboxes . . . . . . . . . . . . . . . . 27 100 7. Security Considerations . . . . . . . . . . . . . . . . . . . 28 101 7.1. Privacy & Ingress Filtering . . . . . . . . . . . . . . . 28 102 7.2. Authorization . . . . . . . . . . . . . . . . . . . . . . 29 103 7.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 30 104 7.4. Traffic Theft . . . . . . . . . . . . . . . . . . . . . . 30 105 7.5. Multipath TCP-specific Considerations . . . . . . . . . . 30 106 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31 107 8.1. Convert Service Port Number . . . . . . . . . . . . . . . 31 108 8.2. The Convert Protocol (Convert) Parameters . . . . . . . . 31 109 8.2.1. Convert Versions . . . . . . . . . . . . . . . . . . 31 110 8.2.2. Convert TLVs . . . . . . . . . . . . . . . . . . . . 32 111 8.2.3. Convert Error Messages . . . . . . . . . . . . . . . 32 112 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 33 113 9.1. Contributors . . . . . . . . . . . . . . . . . . . . . . 34 114 10. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 35 115 11. Example Socket API Changes to Support the 0-RTT Convert 116 Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 36 117 11.1. Active Open (Client Side) . . . . . . . . . . . . . . . 36 118 11.2. Passive Open (Converter Side) . . . . . . . . . . . . . 37 119 12. Differences with SOCKSv5 . . . . . . . . . . . . . . . . . . 38 120 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 121 13.1. Normative References . . . . . . . . . . . . . . . . . . 40 122 13.2. Informative References . . . . . . . . . . . . . . . . . 42 123 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 125 1. Introduction 127 Transport protocols like TCP evolve regularly [RFC7414]. TCP has 128 been improved in different ways. Some improvements such as changing 129 the initial window size [RFC6928] or modifying the congestion control 130 scheme can be applied independently on clients and servers. Other 131 improvements such as Selective Acknowledgements [RFC2018] or large 132 windows [RFC7323] require a new TCP option or to change the semantics 133 of some fields in the TCP header. These modifications must be 134 deployed on both clients and servers to be actually used on the 135 Internet. Experience with the latter TCP extensions reveals that 136 their deployment can require many years. Fukuda reports in 137 [Fukuda2011] results of a decade of measurements showing the 138 deployment of Selective Acknowledgements, Window Scale and TCP 139 Timestamps. [ANRW17] describes measurements showing that TCP Fast 140 Open (TFO) [RFC7413] is still not widely deployed. 142 There are some situations where the transport stack used on clients 143 (or servers) can be upgraded at a faster pace than the transport 144 stack running on servers (or clients). In those situations, clients 145 would typically want to benefit from the features of an improved 146 transport protocol even if the servers have not yet been upgraded and 147 conversely. Performance Enhancing Proxies [RFC3135], and other 148 service functions have been deployed as solutions to improve TCP 149 performance over links with specific characteristics. 151 Recent examples of TCP extensions include Multipath TCP [RFC6824] or 152 TCPINC [RFC8548]. Those extensions provide features that are 153 interesting for clients such as wireless devices. With Multipath 154 TCP, those devices could seamlessly use WLAN (Wireless Local Area 155 Network) and cellular networks, for bonding purposes, faster 156 handovers, or better resiliency. Unfortunately, deploying those 157 extensions on both a wide range of clients and servers remains 158 difficult. 160 More recently, experimentation of 5G bonding, which has very scarce 161 coverage, has been conducted into global range of the incumbent 4G 162 (LTE) connectivity in newly devised clients using Multipath TCP 163 proxy. Even if the 5G and the 4G bonding by using Multipath TCP 164 increases the bandwidth, it is as well crucial to minimize latency 165 for all the way between endhosts regardless of whether intermediate 166 nodes are inside or outside of the mobile core. In order to handle 167 URLLC (Ultra Reliable Low Latency Communication) for the next 168 generation mobile network, Multipath TCP and its proxy mechanism such 169 as the one used to provide Access Traffic Steering, Switching, and 170 Splitting (ATSSS) must be optimised to reduce latency [TS23501]. 172 This document specifies an application proxy, called Transport 173 Converter. A Transport Converter is a function that is installed by 174 a network operator to aid the deployment of TCP extensions and to 175 provide the benefits of such extensions to clients. A Transport 176 Converter may provide conversion service for one or more TCP 177 extensions. Which TCP extensions are eligible to the conversion 178 service is deployment-specific. The conversion service is provided 179 by means of the 0-RTT TCP Convert Protocol (Convert), that is an 180 application-layer protocol which uses TCP port number TBA 181 (Section 8). 183 The Transport Converter adheres to the main principles drawn in 184 [RFC1919]. In particular, a Transport Converter achieves the 185 following: 187 o Listen for client sessions; 189 o Receive from a client the address of the final target server; 191 o Setup a session to the final server; 192 o Relay control messages and data between the client and the server; 194 o Perform access controls according to local policies. 196 The main advantage of network-assisted conversion services is that 197 they enable new TCP extensions to be used on a subset of the path 198 between endpoints, which encourages the deployment of these 199 extensions. Furthermore, the Transport Converter allows the client 200 and the server to directly negotiate TCP options for the sake of 201 native support along the full path. 203 The Convert Protocol is a generic mechanism to provide 0-RTT 204 conversion service. As a sample applicability use case, this 205 document specifies how the Convert Protocol applies for Multipath 206 TCP. It is out of scope of this document to provide a comprehensive 207 list of all potential conversion services. Applicability documents 208 may be defined in the future. 210 This document does not assume that all the traffic is eligible to the 211 network-assisted conversion service. Only a subset of the traffic 212 will be forwarded to a Transport Converter according to a set of 213 policies. These policies, and how they are communicated to 214 endpoints, are out of scope. Furthermore, it is possible to bypass 215 the Transport Converter to connect directly to the servers that 216 already support the required TCP extension(s). 218 This document assumes an explicit model in which a client is 219 configured with one or a list of Transport Converters (statically or 220 through protocols such as [I-D.boucadair-tcpm-dhc-converter]). 221 Configuration means are outside the scope of this document. 223 This document is organized as follows. We first provide a brief 224 explanation of the operation of Transport Converters in Section 3. 225 We describe the Convert Protocol in Section 4. We discuss in 226 Section 5 how Transport Converters can be used to support different 227 TCP extensions. We then discuss the interactions with middleboxes 228 (Section 6) and the security considerations (Section 7). 230 Appendix A discusses how a TCP stack would need to support the 231 protocol described in this document. Appendix B provides a 232 comparison with SOCKS proxies that are already used to deploy 233 Multipath TCP in some cellular networks (Section 2.2 of [RFC8041]). 235 2. Requirements 237 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 238 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 239 "OPTIONAL" in this document are to be interpreted as described in 241 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, 242 as shown here. 244 3. Architecture 246 3.1. Functional Elements 248 The Convert Protocol considers three functional elements: 250 o Clients; 252 o Transport Converters; 254 o Servers. 256 A Transport Converter is a network function that relays all data 257 exchanged over one upstream connection to one downstream connection 258 and vice versa (Figure 1). The Transport Converter, thus, maintains 259 state that associates one upstream connection to a corresponding 260 downstream connection. 262 A connection can be initiated from both sides of the Transport 263 Converter (Internet-facing interface, client-facing interface). 265 | 266 : 267 | 268 +------------+ 269 client <- upstream ->| Transport |<- downstream ->server 270 | Converter | 271 +------------+ 272 | 273 client-facing interface : Internet-facing interface 274 | 276 Figure 1: A Transport Converter Relays Data between Pairs of TCP 277 Connections 279 Transport Converters can be operated by network operators or third 280 parties. Nevertheless, this document focuses on the single 281 administrative deployment case where the entity offering the 282 connectivity service to a client is also the entity which owns and 283 operates the Transport Converter. 285 A Transport Converter can be embedded in a standalone device or be 286 activated as a service on a router. How such function is enabled is 287 deployment-specific. A sample deployment is depicted in Figure 2. 289 +-+ +-+ +-+ 290 Client - |R| -- |R| -- |R| - - - Server 291 +-+ +-+ +-+ 292 | 293 +-+ 294 |R| 295 +-+ 296 | 297 +---------+ 298 |Transport| 299 |Converter| 300 +---------+ 302 Figure 2: A Transport Converter Can Be Installed Anywhere in the 303 Network 305 The architecture assumes that new software will be installed on the 306 Client hosts to interact with one or more Transport Converters. 307 Further, the architecture allows for making use of new TCP extensions 308 even if those are not supported by a given server. 310 The Client is configured, through means that are outside the scope of 311 this document, with the names and/or the addresses of one or more 312 Transport Converters and the TCP extensions that they support. The 313 procedure for selecting a Transport Converter among a list of 314 configured Transport Converters is outside the scope of this 315 document. 317 One of the benefits of this design is that different transport 318 protocol extensions can be used on the upstream and the downstream 319 connections. This encourages the deployment of new TCP extensions 320 until they are widely supported by servers, in particular. 322 The architecture does not mandate anything on the server side. 324 Similar to address sharing mechanisms, the architecture does not 325 interfere with end-to-end TLS connections [RFC8446] between the 326 Client and the Server (Figure 3). In other words, end-to-end TLS is 327 supported in the presence of a Converter. 329 Client Transport Server 330 | Converter | 331 | | | 332 /==========================================\ 333 | End-to-end TLS | 334 \==========================================/ 336 * TLS messages exhanged between the Client 337 and the Server are not shown. 339 Figure 3: End-to-end TLS via a Transport Converter 341 It is out of scope of this document to elaborate on specific 342 considerations related to the use of TLS in the Client-Converter 343 connection leg to exchange Convert TLVs (in addition to the end-to- 344 end TLS connection). 346 3.2. Theory of Operation 348 At a high level, the objective of the Transport Converter is to allow 349 the use a specific extension, e.g., Multipath TCP, on a subset of the 350 path even if the peer does not support this extension. This is 351 illustrated in Figure 4 where the Client initiates a Multipath TCP 352 connection with the Transport Converter (packets belonging to the 353 Multipath TCP connection are shown with "===") while the Transport 354 Converter uses a regular TCP connection with the Server. 356 Client Transport Server 357 | Converter | 358 | | | 359 |==================>|--------------------->| 360 | | | 361 |<==================|<---------------------| 362 | | | 363 Multipath TCP packets Regular TCP packets 365 Figure 4: An Example of 0-RTT Network-Assisted MPTCP Connection 367 The packets belonging to the pair of connections between the Client 368 and Server passing through a Transport Converter may follow a 369 different path than the packets directly exchanged between the Client 370 and the Server. Deployments should minimize the possible additional 371 delay by carefully selecting the location of the Transport Converter 372 used to reach a given destination. 374 When establishing a connection, the Client can, depending on local 375 policies, either contact the Server directly (e.g., by sending a TCP 376 SYN towards the Server) or create the connection via a Transport 377 Converter. In the latter case (that is, the conversion service is 378 used), the Client initiates a connection towards the Transport 379 Converter and indicates the IP address and port number of the Server 380 within the connection establishment packet. Doing so enables the 381 Transport Converter to immediately initiate a connection towards that 382 Server, without experiencing an extra delay. The Transport Converter 383 waits until the receipt of the confirmation that the Server agrees to 384 establish the connection before confirming it to the Client. 386 The client places the destination address and port number of the 387 Server in the payload of the SYN sent to the Transport Converter to 388 minimize connection establishment delays. In accordance with 389 [RFC1919], the Transport Converter maintains two connections that are 390 combined together: 392 o the upstream connection is the one between the Client and the 393 Transport Converter. 395 o the downstream connection is between the Transport Converter and 396 the Server. 398 Any user data received by the Transport Converter over the upstream 399 (or downstream) connection is relayed over the downstream (or 400 upstream) connection. In particular, if the initial SYN message 401 contains data in its payload (e.g., [RFC7413]), that data MUST be 402 placed right after the Convert TLVs when generating the relayed SYN. 404 The Converter associates a lifetime with state entries used to bind 405 an upstream connection with its downstream connection. 407 Figure 5 illustrates the establishment of an outbound TCP connection 408 by a Client through a Transport Converter. The information shown 409 between brackets denotes Convert Protocol messages described in 410 Section 4. 412 Transport 413 Client Converter Server 414 | | | 415 |SYN [->Server:port]| SYN | 416 |------------------>|--------------------->| 417 |<------------------|<---------------------| 418 | SYN+ACK [ ] | SYN+ACK | 419 | | | 421 Figure 5: Establishment of a TCP Connection Through a Transport 422 Converter (1) 424 The Client sends a SYN destined to the Transport Converter. The 425 payload of this SYN contains the address and port number of the 426 Server. The Transport Converter does not reply immediately to this 427 SYN. It first tries to create a TCP connection towards the target 428 Server. If this upstream connection succeeds, the Transport 429 Converter confirms the establishment of the connection to the Client 430 by returning a SYN+ACK and the first bytes of the bytestream contain 431 information about the TCP options that were negotiated with the 432 Server. This information is sent at the beginning of the bytestream, 433 either directly in the SYN+ACK or in a subsequent packet. For 434 graphical reasons, the figures in this section show that the 435 Transport Converter returns this information in the SYN+ACK packet. 436 An implementation could also place this information in a packet that 437 it sent shortly after the SYN+ACK. 439 The connection can also be established from the Internet towards a 440 Client via a Transport Converter. This is typically the case when an 441 application on the Client listens to a specific port (the Client 442 hosts a server, typically). 444 A Transport Converter MAY operate in address preservation or address 445 sharing modes as discussed in Section 5.4 of 446 [I-D.nam-mptcp-deployment-considerations]. Which behavior to use by 447 a Transport Converter is deployment-specific. If address sharing 448 mode is enabled, the Transport Converter MUST adhere to REQ-2 of 449 [RFC6888] which implies a default "IP address pooling" behavior of 450 "Paired" (as defined in Section 4.1 of [RFC4787]) must be supported. 451 This behavior is meant to avoid breaking applications that depend on 452 the external address remaining constant. 454 Standard TCP ([RFC0793], Section 3.4) allows a SYN packet to carry 455 data inside its payload but forbids the receiver from delivering it 456 to the application until completion of the three-way-handshake. To 457 enable applications to exchange data in a TCP handshake, this 458 specification follows an approach similar to TCP Fast Open [RFC7413] 459 and thus removes the constraint by allowing data in SYN packets to be 460 delivered to the Transport Converter application. 462 As discussed in [RFC7413], such change to TCP semantic raises two 463 issues. First, duplicate SYNs can cause problems for some 464 applications that rely on TCP. Second, TCP suffers from SYN flooding 465 attacks [RFC4987]. TFO solves these two problems for applications 466 that can tolerate replays by using the TCP Fast Open option that 467 includes a cookie. However, the utilization of this option consumes 468 space in the limited TCP header. Furthermore, there are situations, 469 as noted in Section 7.3 of [RFC7413] where it is possible to accept 470 the payload of SYN packets without creating additional security risks 471 such as a network where addresses cannot be spoofed and the Transport 472 Converter only serves a set of hosts that are identified by these 473 addresses. 475 For these reasons, this specification does not mandate the use of the 476 TCP Fast Open option when the Client sends a connection establishment 477 packet towards a Transport Converter. The Convert protocol includes 478 an optional Cookie TLV that provides similar protection as the TCP 479 Fast Open option without consuming space in the extended TCP header. 481 If the downstream (or upstream) connection fails for some reason 482 (excessive retransmissions, reception of a RST segment, etc.), then 483 the Converter should force the teardown of the upstream (or 484 downstream) connection. 486 The same reasoning applies when the upstream connection ends. In 487 this case, the Converter should also terminate the downstream 488 connection by using FIN segments. If the downstream connection 489 terminates with the exchange of FIN segments, the Converter should 490 initiate a graceful termination of the upstream connection. 492 3.3. Sample Examples of Outgoing Converter-Assisted Multipath TCP 493 Connections 495 As an example, let us consider how the Convert protocol can help the 496 deployment of Multipath TCP. We assume that both the Client and the 497 Transport Converter support Multipath TCP, but consider two different 498 cases depending on whether the Server supports Multipath TCP or not. 500 As a reminder, a Multipath TCP connection is created by placing the 501 MP_CAPABLE (MPC) option in the SYN sent by the Client. 503 Figure 6 describes the operation of the Transport Converter if the 504 Server does not support Multipath TCP. 506 Transport 507 Client Converter Server 508 |SYN, | | 509 |MPC [->Server:port]| | 510 |------------------>| SYN, MPC | 511 | |--------------------->| 512 | |<---------------------| 513 |<------------------| SYN+ACK | 514 | SYN+ACK,MPC [.] | | 515 | | | 516 |------------------>| | 517 | ACK, MPC |--------------------->| 518 | | ACK | 520 Figure 6: Establishment of a Multipath TCP Connection Through a 521 Transport Converter towards a Server that Does Not Support Multipath 522 TCP 524 The Client tries to initiate a Multipath TCP connection by sending a 525 SYN with the MP_CAPABLE option (MPC in Figure 6). The SYN includes 526 the address and port number of the target Server, that are extracted 527 and used by the Transport Converter to initiate a Multipath TCP 528 connection towards this Server. Since the Server does not support 529 Multipath TCP, it replies with a SYN+ACK that does not contain the 530 MP_CAPABLE option. The Transport Converter notes that the connection 531 with the Server does not support Multipath TCP and returns the 532 extended TCP header received from the Server to the Client. 534 Note that, if the TCP connection fails for some reason, the Converter 535 tears down the Multipath TCP connection by transmitting a 536 MP_FASTCLOSE. Likewise, if the Multipath TCP connection ends with 537 the transmission of DATA_FINs, the Converter terminates the TCP 538 connection by using FIN segments. 540 Figure 7 considers a Server that supports Multipath TCP. In this 541 case, it replies to the SYN sent by the Transport Converter with the 542 MP_CAPABLE option. Upon reception of this SYN+ACK, the Transport 543 Converter confirms the establishment of the connection to the Client 544 and indicates to the Client that the Server supports Multipath TCP. 545 With this information, the Client has discovered that the Server 546 supports Multipath TCP natively. This will enable the Client to 547 bypass the Transport Converter for the subsequent Multipath TCP 548 connections that it will initiate towards this Server. 550 Transport 551 Client Converter Server 552 |SYN, | | 553 |MPC [->Server:port]| | 554 |------------------>| SYN, MPC | 555 | |--------------------->| 556 | |<---------------------| 557 |<------------------| SYN+ACK, MPC | 558 |SYN+ACK, | | 559 |MPC [MPC supported]| | 560 |------------------>| | 561 | ACK, MPC |--------------------->| 562 | | ACK, MPC | 564 Figure 7: Establishment of a Multipath TCP Connection Through a 565 Converter Towards an MPTCP-capable Server 567 3.4. Sample Example of Incoming Converter-Assisted Multipath TCP 568 Connection 570 An example of an incoming Converter-assisted Multipath TCP connection 571 is depicted in Figure 8. In order to support incoming connections 572 from remote hosts, the Client may use PCP [RFC6887] to instruct the 573 Transport Converter to create dynamic mappings. Those mappings will 574 be used by the Transport Converter to intercept an incoming TCP 575 connection destined to the Client and convert it into a Multipath TCP 576 connection. 578 Typically, the Client sends a PCP request to the Converter asking to 579 create an explicit TCP mapping for (internal IP address, internal 580 port number). The Converter accepts the request by creating a TCP 581 mapping (internal IP address, internal port number, external IP 582 address, external port number). The external IP address and external 583 port number will be then advertised using an out-of-band mechanism so 584 that remote hosts can initiate TCP connections to the Client via the 585 Converter. Note that the external and internal information may be 586 the same. 588 Then, when the Converter receives an incoming SYN, it checks its 589 mapping table to verify if there is an active mapping matching the 590 destination IP address and destination port of that SYN. If an entry 591 is found, the Converter inserts an MP_CAPABLE option and Connect TLV 592 in the SYN packet, rewrites the source IP address to one of its IP 593 addresses and, eventually, the destination IP address and port number 594 in accordance with the information stored in the mapping. SYN-ACK 595 and ACK will be then exchanged between the Client and the Converter 596 to confirm the establishment of the initial subflow. The Client can 597 add new subflows following normal Multipath TCP procedures. 599 Transport 600 Client Converter Server 601 | | | 602 | |<-------------------| 603 |<--------------------| SYN | 604 |SYN, | | 605 |MPC[Remote Host:port]| | 606 |-------------------->| | 607 | SYN+ACK, MPC |------------------->| 608 | | SYN+ACK | 609 | |<-------------------| 610 |<--------------------| ACK | 611 | ACK, MPC | | 612 | | | 614 Figure 8: Establishment of an Incoming TCP Connection through a 615 Transport Converter 617 It is out of scope of this document to define specific Convert TLVs 618 to manage incoming connections. These TLVs can be defined in a 619 separate document. 621 4. The Convert Protocol (Convert) 623 This section describes the messages that are exchanged between a 624 Client and a Transport Converter. The Convert Protocol (Convert, for 625 short) uses a 32 bits long fixed header that is sent by both the 626 Client and the Transport Converter over each established connection. 627 This header indicates both the version of the protocol used and the 628 length of the Convert message. 630 4.1. The Convert Fixed Header 632 The Fixed Header is used to convey information about the version and 633 length of the messages exchanged between the Client and the Transport 634 Converter. 636 The Client and the Transport Converter MUST send the fixed-sized 637 header, shown in Figure 9, as the first four bytes of the bytestream. 639 1 2 3 640 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 641 +---------------+---------------+-------------------------------+ 642 | Version | Total Length | Unassigned | 643 +---------------+---------------+-------------------------------+ 645 Figure 9: The Fixed-Sized Header of the Convert Protocol 647 The Version is encoded as an 8 bits unsigned integer value. This 648 document specifies version 1. Version 0 is reserved by this document 649 and MUST NOT be used. 651 The Total Length is the number of 32 bits word, including the header, 652 of the bytestream that are consumed by the Convert messages. Since 653 Total Length is also an 8 bits unsigned integer, those messages 654 cannot consume more than 1020 bytes of data. This limits the number 655 of bytes that a Transport Converter needs to process. A Total Length 656 of zero is invalid and the connection MUST be reset upon reception of 657 a header with such total length. 659 The Unassigned field MUST be set to zero in this version of the 660 protocol. These bits are available for future use [RFC8126]. 662 Data added by the Convert protocol to the TCP bytestream in the 663 upstream connection is unambiguously distinguished from payload data 664 in the downstream connection by the Total Length field in the Convert 665 messages. 667 4.2. Convert TLVs 669 4.2.1. Generic Convert TLV Format 671 The Convert protocol uses variable length messages that are encoded 672 using the generic TLV (Type, Length, Value) format depicted in 673 Figure 10. 675 The length of all TLVs used by the Convert protocol is always a 676 multiple of four bytes. All TLVs are aligned on 32 bits boundaries. 677 All TLV fields are encoded using the network byte order. 679 1 2 3 680 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 681 +---------------+---------------+-------------------------------+ 682 | Type | Length | (optional) Value ... | 683 +---------------+---------------+-------------------------------+ 684 | ... (optional) Value | 685 +---------------------------------------------------------------+ 687 Figure 10: Convert Generic TLV Format 689 The Length field is expressed in units of 32 bits words. In general 690 zero padding MUST be added if the value's length in bytes can not be 691 expressed as 2+(4 * n). 693 A given TLV MUST only appear once on a connection. If two or more 694 instances of the same TLV are exchanged over a Convert connection, 695 the associated TCP connections MUST be closed. 697 4.2.2. Summary of Supported Convert TLVs 699 This document specifies the following Convert TLVs: 701 +------+-----+----------+------------------------------------------+ 702 | Type | Hex | Length | Description | 703 +------+-----+----------+------------------------------------------+ 704 | 1 | 0x1 | 1 | Info TLV | 705 | 10 | 0xA | Variable | Connect TLV | 706 | 20 | 0x14| Variable | Extended TCP Header TLV | 707 | 21 | 0x15| Variable | Supported TCP Extensions TLV | 708 | 22 | 0x16| Variable | Cookie TLV | 709 | 30 | 0x1E| Variable | Error TLV | 710 +------+-----+----------+------------------------------------------+ 712 Figure 11: The TLVs used by the Convert Protocol 714 Type 0x0 is a reserved valued. Implementations MUST discard messages 715 with such TLV. 717 The Client can request the establishment of connections to servers by 718 using the Connect TLV (Section 4.2.5). If the connection can be 719 established with the final server, the Transport Converter replies 720 with the Extended TCP Header TLV (Section 4.2.4). If not, the 721 Transport Converter returns an Error TLV (Section 4.2.8) and then 722 closes the connection. 724 As a general rule, when an error is encountered an Error TLV with the 725 appropriate error code MUST be returned by the Transport Converter. 727 4.2.3. The Info TLV 729 The Info TLV (Figure 12) is an optional TLV which can be sent by a 730 Client to request the TCP extensions that are supported by a 731 Transport Converter. It is typically sent on the first connection 732 that a Client establishes with a Transport Converter to learn its 733 capabilities. Assuming a Client is entitled to invoke the Transport 734 Converter, the latter replies with the Supported TCP Extensions TLV 735 described in Section 4.2.4. 737 1 2 3 738 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 739 +---------------+---------------+-------------------------------+ 740 | Type=0x1 | Length | Zero | 741 +---------------+---------------+-------------------------------+ 743 Figure 12: The Info TLV 745 4.2.4. Supported TCP Extensions TLV 747 The Supported TCP Extensions TLV (Figure 13) is used by a Transport 748 Converter to announce the TCP options for which it provides a 749 conversion service. A Transport Converter SHOULD include in this 750 list the TCP options that it accepts from Clients and that it 751 includes the SYN packets that it sends to initiate connections. 753 Each supported TCP option is encoded with its TCP option Kind listed 754 in the "TCP Parameters" registry maintained by IANA. 756 1 2 3 757 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 758 +---------------+---------------+-------------------------------+ 759 | Type=0x15 | Length | Unassigned | 760 +---------------+---------------+-------------------------------+ 761 | Kind #1 | Kind #2 | ... | 762 +---------------+---------------+-------------------------------+ 763 / ... / 764 / / 765 +---------------------------------------------------------------+ 767 Figure 13: The Supported TCP Extensions TLV 769 TCP option Kinds 0, 1, and 2 defined in [RFC0793] are supported by 770 all TCP implementations and thus MUST NOT appear in this list. 772 The list of Supported TCP Extension is padded with 0 to end on a 32 773 bits boundary. 775 For example, if the Transport Converter supports Multipath TCP, 776 Kind=30 will be present in the Supported TCP Extensions TLV that it 777 returns in response to Info TLV. 779 4.2.5. Connect TLV 781 The Connect TLV (Figure 14) is used to request the establishment of a 782 connection via a Transport Converter. This connection can be from or 783 to a client. 785 The 'Remote Peer Port' and 'Remote Peer IP Address' fields contain 786 the destination port number and IP address of the Server, for 787 outgoing connections. For incoming connections destined to a Client 788 serviced via a Transport Converter, these fields convey the source 789 port number and IP address. 791 The Remote Peer IP Address MUST be encoded as an IPv6 address. IPv4 792 addresses MUST be encoded using the IPv4-Mapped IPv6 Address format 793 defined in [RFC4291]. Further, Remote Peer IP address field MUST NOT 794 include multicast, broadcast, and host loopback addresses [RFC6890]. 795 Connect TLVs witch such messages MUST be discarded by the Transport 796 Converter. 798 We distinguish two types of Connect TLV based on their length: (1) 799 the base Connect TLV has a length of 20 bytes and contains a remote 800 address and a remote port, (2) the extended Connect TLV spans more 801 than 20 bytes and also includes the optional 'TCP Options' field. 802 This field is used to specify how specific TCP options should be 803 advertised by the Transport Converter to the server. 805 1 2 3 806 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 807 +---------------+---------------+-------------------------------+ 808 | Type=0xA | Length | Remote Peer Port | 809 +---------------+---------------+-------------------------------+ 810 | | 811 | Remote Peer IP Address (128 bits) | 812 | | 813 | | 814 +---------------------------------------------------------------+ 815 | TCP Options (Variable) | 816 | ... | 817 +---------------------------------------------------------------+ 819 Figure 14: The Connect TLV 821 The 'TCP Options' field is a variable length field that carries a 822 list of TCP option fields (Figure 15). Each TCP option field is 823 encoded as a block of 2+n bytes where the first byte is the TCP 824 option Kind and the second byte is the length of the TCP option as 825 specified in [RFC0793]. The minimum value for the TCP option Length 826 is 2. The TCP options that do not include a length subfield, i.e., 827 option types 0 (EOL) and 1 (NOP) defined in [RFC0793] MUST NOT be 828 placed inside the TCP options field of the Connect TLV. The optional 829 Value field contains the variable-length part of the TCP option. A 830 length of two indicates the absence of the Value field. The TCP 831 options field always ends on a 32 bits boundary after being padded 832 with zeros. 834 1 2 3 835 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 836 +---------------+---------------+---------------+---------------+ 837 | TCPOpt kind | TCPOpt Length | Value (opt) | .... | 838 +---------------+---------------+---------------+---------------+ 839 | .... | 840 +---------------------------------------------------------------+ 841 | ... | 842 +---------------------------------------------------------------+ 844 Figure 15: The TCP Options Field 846 Upon reception of a Connect TLV, and absent any policy (e.g., rate- 847 limit) or resource exhaustion conditions, a Transport Converter 848 attempts to establish a connection to the address and port that it 849 contains. The Transport Converter MUST use by default the TCP 850 options that correspond to its local policy to establish this 851 connection. These are the options that it advertises in the 852 Supported TCP Extensions TLV. 854 Upon reception of an extended Connect TLV, and absent any rate limit 855 policy or resource exhaustion conditions, a Transport Converter MUST 856 attempt to establish a connection to the address and port that it 857 contains. It MUST include the options of the 'TCP Options' subfield 858 in the SYN sent to the Server in addition to the TCP options that it 859 would have used according to its local policies. For the TCP options 860 that are listed without an optional value, the Transport Converter 861 MUST generate its own value. For the TCP options that are included 862 in the 'TCP Options' field with an optional value, it MUST copy the 863 entire option for use in the connection with the destination peer. 864 This feature is required to support TCP Fast Open. 866 The Transport Converter may discard a Connect TLV request for various 867 reasons (e.g., authorization failed, out of resources, invalid 868 address type). An error message indicating the encountered error is 869 returned to the requesting Client (Section 4.2.8). In order to 870 prevent denial-of-service attacks, error messages sent to a Client 871 SHOULD be rate-limited. 873 4.2.6. Extended TCP Header TLV 875 The Extended TCP Header TLV (Figure 16) is used by the Transport 876 Converter to send to the Client the extended TCP header that was 877 returned by the Server in the SYN+ACK packet. This TLV is only sent 878 if the Client sent a Connect TLV to request the establishment of a 879 connection. 881 1 2 3 882 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 883 +---------------+---------------+-------------------------------+ 884 | Type=0x14 | Length | Unassigned | 885 +---------------+---------------+-------------------------------+ 886 | Returned Extended TCP header | 887 | ... | 888 +---------------------------------------------------------------+ 890 Figure 16: The Extended TCP Header TLV 892 The Returned Extended TCP header field is a copy of the extended 893 header that was received in the SYN+ACK by the Transport Converter. 895 The Unassigned field MUST be set to zero by the transmitter and 896 ignored by the receiver. These bits are available for future use 897 [RFC8126]. 899 4.2.7. The Cookie TLV 901 The Cookie TLV (Figure 17 is an optional TLV which use is similar to 902 the TCP Fast Open Cookie [RFC7413]. A Transport Converter may want 903 to verify that its Clients can receive the packets that it sends to 904 prevent attacks from spoofed addresses. This verification can be 905 done by using a Cookie that is bound to, for example, the IP 906 address(es) of the Client. This Cookie can be configured on the 907 Client by means that are outside of this document or provided by the 908 Transport Converter as follows. 910 A Transport Converter that has been configured to use the optional 911 Cookie TLV MUST verify the presence of this TLV in the payload of the 912 received SYN. If this TLV is present, the Transport Converter MUST 913 validate the Cookie by means similar to those in Section 4.1.2 of 914 [RFC7413] (i.e., IsCookieValid). If the Cookie is valid, the 915 connection establishment procedure can continue. Otherwise, the 916 Transport Converter MUST return an Error TLV set to "Not Authorized" 917 and close the connection. 919 If the received SYN did not contain a Cookie TLV, and cookie 920 validation is required, the Transport Converter should compute a 921 Cookie bound to this Client address and return a Convert message 922 containing the fixed header, an Error TLV set to "Missing Cookie" and 923 the computed Cookie and close the connection. The Client will react 924 to this error by storing the received Cookie in its cache and attempt 925 to reestablish a new connection to the Transport Converter that 926 includes the Cookie. 928 The format of the Cookie TLV is shown in the below figure. 930 1 2 3 931 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 932 +---------------+---------------+-------------------------------+ 933 | Type=0x16 | Length | Zero | 934 +---------------+---------------+-------------------------------+ 935 | Opaque Cookie | 936 | ... | 937 +---------------------------------------------------------------+ 939 Figure 17: The Cookie TLV 941 4.2.8. Error TLV 943 The Error TLV (Figure 18) is used by the Transport Converter to 944 provide information about some errors that occurred during the 945 processing of Convert message. This TLV has a variable length. It 946 appears after the Convert fixed-header in the bytestream returned by 947 the Transport Converter. Upon reception of an Error TLV, a Client 948 MUST close the associated connection. 950 1 2 3 951 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 952 +---------------+---------------+----------------+--------------+ 953 | Type=0x1E | Length | Error code | Value | 954 +---------------+---------------+----------------+--------------+ 956 Figure 18: The Error TLV 958 Different types of errors can occur while processing Convert 959 messages. Each error is identified by an Error code represented as 960 an unsigned integer. Four classes of Error codes are defined: 962 o Message validation and processing errors (0-31 range): returned 963 upon reception of an invalid message (including valid messages but 964 with invalid or unknown TLVs). 966 o Client-side errors (32-63 range): the Client sent a request that 967 could not be accepted by the Transport Converter (e.g., 968 unsupported operation). 970 o Converter-side errors (64-95 range): problems encountered on the 971 Transport Converter (e.g., lack of resources) which prevent it 972 from fulfilling the Client's request. 974 o Errors caused by the destination server (96-127 range): the final 975 destination could not be reached or it replied with a reset. 977 The following error codes are defined in this document: 979 o Unsupported Version (0): The version number indicated in the fixed 980 header of a message received from a peer is not supported. 982 This error code MUST be generated by a Transport Converter when it 983 receives a request having a version number that it does not 984 support. 986 The value field MUST be set to the version supported by the 987 Transport Converter. When multiple versions are supported by the 988 Transport Converter, it includes the list of supported version in 989 the value field; each version is encoded in 8 bits. The list of 990 supported versions should be padded with zeros to end on a 32 bits 991 boundary. 993 Upon receipt of this error code, the client checks whether it 994 supports one of the versions returned by the Transport Converter. 995 The highest common supported version MUST be used by the client in 996 subsequent exchanges with the Transport Converter. 998 o Malformed Message (1): This error code is sent to indicate that a 999 message can not be successfully parsed and validated. 1001 Typically, this error code is sent by the Transport Converter if 1002 it receives a Connect TLV enclosing a multicast, broadcast, or 1003 loopback IP address. 1005 To ease troubleshooting, the value field MUST echo the received 1006 message shifted by one byte to keep to original alignment of the 1007 message. 1009 o Unsupported Message (2): This error code is sent to indicate that 1010 a message type is not supported by the Transport Converter. 1012 To ease troubleshooting, the value field MUST echo the received 1013 message shifted by one byte to keep to original alignment of the 1014 message. 1016 o Missing Cookie (3): If a Transport Converter requires the 1017 utilization of Cookies to prevent spoofing attacks and a Cookie 1018 TLV was not included in the Convert message, the Transport 1019 Converter MUST return this error to the requesting client. The 1020 first byte of the value field MUST be set to zero and the 1021 remaining bytes of the Error TLV contain the Cookie computed by 1022 the Transport Converter for this Client. 1024 A Client which receives this error code MUST cache the received 1025 Cookie and include it in subsequent Convert messages sent to that 1026 Transport Converter. 1028 o Not Authorized (32): This error code indicates that the Transport 1029 Converter refused to create a connection because of a lack of 1030 authorization (e.g., administratively prohibited, authorization 1031 failure, invalid Cookie TLV, etc.). The Value field MUST be set 1032 to zero. 1034 This error code MUST be sent by the Transport Converter when a 1035 request cannot be successfully processed because the authorization 1036 failed. 1038 o Unsupported TCP Option (33): A TCP option that the Client 1039 requested to advertise to the final Server cannot be safely used. 1041 The Value field is set to the type of the unsupported TCP option. 1042 If several unsupported TCP options were specified in the Connect 1043 TLV, then the list of unsupported TCP options is returned. The 1044 list of unsupported TCP options MUST be padded with zeros to end 1045 on a 32 bits boundary. 1047 o Resource Exceeded (64): This error indicates that the Transport 1048 Converter does not have enough resources to perform the request. 1050 This error MUST be sent by the Transport Converter when it does 1051 not have sufficient resources to handle a new connection. The 1052 Transport Converter may indicate in the Value field the suggested 1053 delay (in seconds) that the Client SHOULD wait before soliciting 1054 the Transport Converter for a new proxied connection. A Value of 1055 zero corresponds to a default delay of at least 30 seconds. 1057 o Network Failure (65): This error indicates that the Transport 1058 Converter is experiencing a network failure to relay the request. 1060 The Transport Converter MUST send this error code when it 1061 experiences forwarding issues to relay a connection. The 1062 Transport Converter may indicate in the Value field the suggested 1063 delay (in seconds) that the Client SHOULD wait before soliciting 1064 the Transport Converter for a new proxied connection. A Value of 1065 zero corresponds to a default delay of at least 30 seconds. 1067 o Connection Reset (96): This error indicates that the final 1068 destination responded with a RST packet. The Value field MUST be 1069 set to zero. 1071 o Destination Unreachable (97): This error indicates that an ICMP 1072 destination unreachable, port unreachable, or network unreachable 1073 was received by the Transport Converter. The Value field MUST 1074 echo the Code field of the received ICMP message. 1076 Figure 19 summarizes the different error codes. 1078 +-------+------+-----------------------------------------------+ 1079 | Error | Hex | Description | 1080 +-------+------+-----------------------------------------------+ 1081 | 0 | 0x00 | Unsupported Version | 1082 | 1 | 0x01 | Malformed Message | 1083 | 2 | 0x02 | Unsupported Message | 1084 | 3 | 0x03 | Missing Cookie | 1085 | 32 | 0x20 | Not Authorized | 1086 | 33 | 0x21 | Unsupported TCP Option | 1087 | 64 | 0x40 | Resource Exceeded | 1088 | 65 | 0x41 | Network Failure | 1089 | 96 | 0x60 | Connection Reset | 1090 | 97 | 0x61 | Destination Unreachable | 1091 +-------+------+-----------------------------------------------+ 1093 Figure 19: Convert Error Values 1095 5. Compatibility of Specific TCP Options with the Conversion Service 1097 In this section, we discuss how several standard track TCP options 1098 can be supported through the Convert protocol. The non-standard 1099 track options and the experimental options will be discussed in other 1100 documents. 1102 5.1. Base TCP Options 1104 Three TCP options were initially defined in [RFC0793]: End-of-Option 1105 List (Kind=0), No-Operation (Kind=1) and Maximum Segment Size 1106 (Kind=2). The first two options are mainly used to pad the TCP 1107 header. There is no reason for a client to request a Transport 1108 Converter to specifically send these options towards the final 1109 destination. 1111 The Maximum Segment Size option (Kind=2) is used by a host to 1112 indicate the largest segment that it can receive over each 1113 connection. This value is function of the stack that terminates the 1114 TCP connection. There is no reason for a Client to request a 1115 Transport Converter to advertise a specific MSS value to a remote 1116 server. 1118 A Transport Converter MUST ignore options with Kind=0, 1 or 2 if they 1119 appear in a Connect TLV. It MUST NOT announce them in a Supported 1120 TCP Extensions TLV. 1122 5.2. Window Scale (WS) 1124 The Window Scale option (Kind=3) is defined in [RFC7323]. As for the 1125 MSS option, the window scale factor that is used for a connection 1126 strongly depends on the TCP stack that handles the connection. When 1127 a Transport Converter opens a TCP connection towards a remote server 1128 on behalf of a Client, it SHOULD use a WS option with a scaling 1129 factor that corresponds to the configuration of its stack. A local 1130 configuration MAY allow for WS option in the proxied message to be 1131 function of the scaling factor of the incoming connection. 1133 There is no benefit from a deployment viewpoint in enabling a Client 1134 of a Transport Converter to specifically request the utilisation of 1135 the WS option (Kind=3) with a specific scaling factor towards a 1136 remote Server. For this reason, a Transport Converter MUST ignore 1137 option Kind=3 if it appears in a Connect TLV. It MUST NOT announce 1138 it in a Supported TCP Extensions TLV. 1140 5.3. Selective Acknowledgements 1142 Two distinct TCP options were defined to support selective 1143 acknowledgements in [RFC2018]. This first one, SACK Permitted 1144 (Kind=4), is used to negotiate the utilisation of selective 1145 acknowledgements during the three-way handshake. The second one, 1146 SACK (Kind=5), carries the selective acknowledgements inside regular 1147 segments. 1149 The SACK Permitted option (Kind=4) MAY be advertised by a Transport 1150 Converter in the Supported TCP Extensions TLV. Clients connected to 1151 this Transport Converter MAY include the SACK Permitted option in the 1152 Connect TLV. 1154 The SACK option (Kind=5) cannot be used during the three-way 1155 handshake. For this reason, a Transport Converter MUST ignore option 1156 Kind=5 if it appears in a Connect TLV. It MUST NOT announce it in a 1157 TCP Supported Extensions TLV. 1159 5.4. Timestamp 1161 The Timestamp option was initially defined in [RFC1323] and later 1162 refined in [RFC7323]. It can be used during the three-way handshake 1163 to negotiate the utilization of timestamps during the TCP connection. 1164 It is notably used to improve round-trip-time estimations and to 1165 provide protection against wrapped sequence numbers (PAWS). As for 1166 the WS option, the timestamps are a property of a connection and 1167 there is limited benefit in enabling a client to request a Transport 1168 Converter to use the timestamp option when establishing a connection 1169 to a remote server. Furthermore, the timestamps that are used by TCP 1170 stacks are specific to each stack and there is no benefit in enabling 1171 a client to specify the timestamp value that a Transport Converter 1172 could use to establish a connection to a remote server. 1174 A Transport Converter MAY advertise the Timestamp option (Kind=8) in 1175 the TCP Supported Extensions TLV. The clients connected to this 1176 Transport Converter MAY include the Timestamp option in the Connect 1177 TLV but without any timestamp. 1179 5.5. Multipath TCP 1181 The Multipath TCP options are defined in [RFC6824]. [RFC6824] 1182 defines one variable length TCP option (Kind=30) that includes a 1183 subtype field to support several Multipath TCP options. There are 1184 several operational use cases where clients would like to use 1185 Multipath TCP through a Transport Converter [IETFJ16]. However, none 1186 of these use cases require the Client to specify the content of the 1187 Multipath TCP option that the Transport Converter should send to a 1188 remote server. 1190 A Transport Converter which supports Multipath TCP conversion service 1191 MUST advertise the Multipath TCP option (Kind=30) in the Supported 1192 TCP Extensions TLV. Clients serviced by this Transport Converter may 1193 include the Multipath TCP option in the Connect TLV but without any 1194 content. 1196 5.6. TCP Fast Open 1198 The TCP Fast Open cookie option (Kind=34) is defined in [RFC7413]. 1199 There are two different usages of this option that need to be 1200 supported by Transport Converters. The first utilization of the TCP 1201 Fast Open cookie option is to request a cookie from the server. In 1202 this case, the option is sent with an empty cookie by the client and 1203 the server returns the cookie. The second utilization of the TCP 1204 Fast Open cookie option is to send a cookie to the server. In this 1205 case, the option contains a cookie. 1207 A Transport Converter MAY advertise the TCP Fast Open cookie option 1208 (Kind=34) in the Supported TCP Extensions TLV. If a Transport 1209 Converter has advertised the support for TCP Fast Open in its 1210 Supported TCP Extensions TLV, it needs to be able to process two 1211 types of Connect TLV. If such a Transport Converter receives a 1212 Connect TLV with the TCP Fast Open cookie option that does not 1213 contain a cookie, it MUST add an empty TCP Fast Open cookie option in 1214 the SYN sent to the remote server. If such a Transport Converter 1215 receives a Connect TLV with the TCP Fast Open cookie option that 1216 contains a cookie, it MUST copy the TCP Fast Open cookie option in 1217 the SYN sent to the remote server. 1219 5.7. TCP User Timeout 1221 The TCP User Timeout option is defined in [RFC5482]. The associated 1222 TCP option (Kind=28) does not appear to be widely deployed. 1224 5.8. TCP-AO 1226 TCP-AO [RFC5925] provides a technique to authenticate all the packets 1227 exchanged over a TCP connection. Given the nature of this extension, 1228 it is unlikely that the applications that require their packets to be 1229 authenticated end-to-end would want their connections to pass through 1230 a converter. For this reason, we do not recommend the support of the 1231 TCP-AO option by Transport Converters. The only use cases where it 1232 could make sense to combine TCP-AO and the solution in this document 1233 are those where the TCP-AO-NAT extension [RFC6978] is in use. 1235 A Transport Converter MUST NOT advertise the TCP-AO option (Kind=29) 1236 in the Supported TCP Extensions TLV. If a Transport Converter 1237 receives a Connect TLV that contains the TCP-AO option, it MUST 1238 reject the establishment of the connection with error code set to 1239 "Unsupported TCP Option", except if the TCP-AO-NAT option is used. 1241 5.9. TCP Experimental Options 1243 The TCP Experimental options are defined in [RFC4727]. Given the 1244 variety of semantics for these options and their experimental nature, 1245 it is impossible to discuss them in details in this document. 1247 6. Interactions with Middleboxes 1249 The Convert Protocol is designed to be used in networks that do not 1250 contain middleboxes that interfere with TCP. Under such conditions, 1251 it is assumed that the network provider ensures that all involved on- 1252 path nodes are not breaking TCP signals (e.g., strip TCP options, 1253 discard some SYNs, etc.). 1255 Nevertheless, and in order to allow for a robust service, this 1256 section describes how a Client can detect middlebox interference and 1257 stop using the Transport Converter affected by this interference. 1259 Internet measurements [IMC11] have shown that middleboxes can affect 1260 the deployment of TCP extensions. In this section, we only discuss 1261 the middleboxes that modify SYN and SYN+ACK packets since the Convert 1262 Protocol places its messages in such packets. 1264 Consider a middlebox that removes the SYN payload. The Client can 1265 detect this problem by looking at the acknowledgement number field of 1266 the SYN+ACK returned by the Transport Converter. The Client MUST 1267 stop to use this Transport Converter given the middlebox 1268 interference. 1270 As explained in [RFC7413], some CGNs (Carrier Grade NATs) can affect 1271 the operation of TFO if they assign different IP addresses to the 1272 same end host. Such CGNs could affect the operation of the TFO 1273 Option used by the Convert Protocol. As a reminder CGNs, enabled on 1274 the path between a Client and a Transport Converter, must adhere to 1275 the address preservation defined in [RFC6888]. See also the 1276 discussion in Section 7.1 of [RFC7413]. 1278 7. Security Considerations 1280 7.1. Privacy & Ingress Filtering 1282 The Transport Converter may have access to privacy-related 1283 information (e.g., subscriber credentials). The Transport Converter 1284 is designed to not leak such sensitive information outside a local 1285 domain. 1287 Given its function and its location in the network, a Transport 1288 Converter has access to the payload of all the packets that it 1289 processes. As such, it MUST be protected as a core IP router (e.g., 1290 [RFC1812]). 1292 Furthermore, ingress filtering policies MUST be enforced at the 1293 network boundaries [RFC2827]. 1295 This document assumes that all network attachments are managed by the 1296 same administrative entity. Therefore, enforcing anti-spoofing 1297 filters at these network ensures that hosts are not sending traffic 1298 with spoofed source IP addresses. 1300 7.2. Authorization 1302 The Convert Protocol is intended to be used in managed networks where 1303 end hosts can be identified by their IP address. 1305 Stronger mutual authentication schemes MUST be defined to use the 1306 Convert Protocol in more open network environments. One possibility 1307 is to use TLS to perform mutual authentication between the client and 1308 the Converter. That is, use TLS when a Client retrieves a Cookie 1309 from the Converter and rely on certificate-based client 1310 authentication, pre-shared key based [RFC4279] or raw public key 1311 based client authentication [RFC7250] to secure this connection. 1313 If the authentication succeeds, the Converter returns a cookie to the 1314 Client. Subsequent Connect messages will be authorized as a function 1315 of the content of the Cookie TLV. 1317 In deployments where network-assisted connections are not allowed 1318 between hosts of a domain (i.e., hairpinning), the Converter may be 1319 instructed to discard such connections. Hairpinned connections are 1320 thus rejected by the Transport Converter by returning an Error TLV 1321 set to "Not Authorized". Absent explicit configuration otherwise, 1322 hairpinning is enabled by the Converter (see Figure 20. 1324 <===Network Provider===> 1326 +----+ from X1:x1 to X2':x2' +-----+ X1':x1' 1327 | C1 |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--+--- 1328 +----+ | v | 1329 | v | 1330 | v | 1331 | v | 1332 +----+ from X1':x1' to X2:x2 | v | X2':x2' 1333 | C2 |<<<<<<<<<<<<<<<<<<<<<<<<<<<<<--+--- 1334 +----+ +-----+ 1335 Converter 1337 Note: X2':x2' may be equal to 1338 X2:x2 1340 Figure 20: Hairpinning Example 1342 See below for authorization considerations that are specific for 1343 Multipath TCP. 1345 7.3. Denial of Service 1347 Another possible risk is the amplification attacks since a Transport 1348 Converter sends a SYN towards a remote Server upon reception of a SYN 1349 from a Client. This could lead to amplification attacks if the SYN 1350 sent by the Transport Converter were larger than the SYN received 1351 from the Client or if the Transport Converter retransmits the SYN. 1352 To mitigate such attacks, the Transport Converter SHOULD rate limit 1353 the number of pending requests for a given Client. It SHOULD also 1354 avoid sending to remote Servers SYNs that are significantly longer 1355 than the SYN received from the Client. Finally, the Transport 1356 Converter SHOULD only retransmit a SYN to a Server after having 1357 received a retransmitted SYN from the corresponding Client. Means to 1358 protect against SYN flooding attacks MUST also be enabled [RFC4987]. 1360 7.4. Traffic Theft 1362 Traffic theft is a risk if an illegitimate Converter is inserted in 1363 the path. Indeed, inserting an illegitimate Converter in the 1364 forwarding path allows traffic interception and can therefore provide 1365 access to sensitive data issued by or destined to a host. Converter 1366 discovery and configuration are out of scope of this document. 1368 7.5. Multipath TCP-specific Considerations 1370 Multipath TCP-related security threats are discussed in [RFC6181] and 1371 [RFC6824]. 1373 The operator that manages the various network attachments (including 1374 the Transport Converters) can enforce authentication and 1375 authorization policies using appropriate mechanisms. For example, a 1376 non-exhaustive list of methods to achieve authorization is provided 1377 hereafter: 1379 o The network provider may enforce a policy based on the 1380 International Mobile Subscriber Identity (IMSI) to verify that a 1381 user is allowed to benefit from the aggregation service. If that 1382 authorization fails, the Packet Data Protocol (PDP) context/bearer 1383 will not be mounted. This method does not require any interaction 1384 with the Transport Converter. 1386 o The network provider may enforce a policy based upon Access 1387 Control Lists (ACLs), e.g., at a Broadband Network Gateway (BNG) 1388 to control the hosts that are authorized to communicate with a 1389 Transport Converter. These ACLs may be installed as a result of 1390 RADIUS exchanges, e.g., [I-D.boucadair-radext-tcpm-converter]. 1391 This method does not require any interaction with the Transport 1392 Converter. 1394 o A device that embeds a Transport Converter may also host a RADIUS 1395 client that will solicit an AAA server to check whether 1396 connections received from a given source IP address are authorized 1397 or not [I-D.boucadair-radext-tcpm-converter]. 1399 A first safeguard against the misuse of Transport Converter resources 1400 by illegitimate users (e.g., users with access networks that are not 1401 managed by the same provider that operates the Transport Converter) 1402 is the Transport Converter to reject Multipath TCP connections 1403 received on its Internet-facing interfaces. Only Multipath TCP 1404 connections received on the customer-facing interfaces of a Transport 1405 Converter will be accepted. 1407 8. IANA Considerations 1409 8.1. Convert Service Port Number 1411 IANA is requested to assign a TCP port number (TBA) for the Convert 1412 Protocol from the "Service Name and Transport Protocol Port Number 1413 Registry" available at https://www.iana.org/assignments/service- 1414 names-port-numbers/service-names-port-numbers.xhtml. 1416 8.2. The Convert Protocol (Convert) Parameters 1418 IANA is requested to create a new "The Convert Protocol (Convert) 1419 Parameters" registry. 1421 The following subsections detail new registries within "The Convert 1422 Protocol (Convert) Parameters" registry. 1424 8.2.1. Convert Versions 1426 IANA is requested to create the "Convert versions" sub-registry. New 1427 values are assigned via IETF Review (Section 4.8 of [RFC8126]). 1429 The initial values to be assigned at the creation of the registry are 1430 as follows: 1432 +---------+--------------------------------------+-------------+ 1433 | Version | Description | Reference | 1434 +---------+--------------------------------------+-------------+ 1435 | 0 | Reserved by this document | [This-RFC] | 1436 | 1 | Assigned by this document | [This-RFC] | 1437 +---------+--------------------------------------+-------------+ 1439 8.2.2. Convert TLVs 1441 IANA is requested to create the "Convert TLVs" sub-registry. The 1442 procedure for assigning values from this registry is as follows: 1444 o The values in the range 1-127 can be assigned via IETF Review. 1446 o The values in the range 128-191 can be assigned via Specification 1447 Required. 1449 o The values in the range 192-255 can be assigned for Private Use. 1451 The initial values to be assigned at the creation of the registry are 1452 as follows: 1454 +---------+--------------------------------------+-------------+ 1455 | Code | Name | Reference | 1456 +---------+--------------------------------------+-------------+ 1457 | 0 | Reserved | [This-RFC] | 1458 | 1 | Info TLV | [This-RFC] | 1459 | 10 | Connect TLV | [This-RFC] | 1460 | 20 | Extended TCP Header TLV | [This-RFC] | 1461 | 21 | Supported TCP Extension TLV | [This-RFC] | 1462 | 22 | Cookie TLV | [This-RFC] | 1463 | 30 | Error TLV | [This-RFC] | 1464 +---------+--------------------------------------+-------------+ 1466 8.2.3. Convert Error Messages 1468 IANA is requested to create the "Convert Errors" sub-registry. Codes 1469 in this registry are assigned as a function of the error type. Four 1470 types are defined; the following ranges are reserved for each of 1471 these types: 1473 o Message validation and processing errors: 0-31 1475 o Client-side errors: 32-63 1477 o Transport Converter-side errors: 64-95 1479 o Errors caused by destination server: 96-127 1481 The procedure for assigning values from this sub-registry is as 1482 follows: 1484 o 0-191: Values in this range are assigned via IETF Review. 1486 o 192-255: Values in this range are assigned via Specification 1487 Required. 1489 The initial values to be assigned at the creation of the registry are 1490 as follows: 1492 +-------+------+-----------------------------------+-----------+ 1493 | Error | Hex | Description | Reference | 1494 +-------+------+-----------------------------------+-----------+ 1495 | 0 | 0x00 | Unsupported Version | [This-RFC]| 1496 | 1 | 0x01 | Malformed Message | [This-RFC]| 1497 | 2 | 0x02 | Unsupported Message | [This-RFC]| 1498 | 3 | 0x03 | Missing Cookie | [This-RFC]| 1499 | 32 | 0x20 | Not Authorized | [This-RFC]| 1500 | 33 | 0x21 | Unsupported TCP Option | [This-RFC]| 1501 | 64 | 0x40 | Resource Exceeded | [This-RFC]| 1502 | 65 | 0x41 | Network Failure | [This-RFC]| 1503 | 96 | 0x60 | Connection Reset | [This-RFC]| 1504 | 97 | 0x61 | Destination Unreachable | [This-RFC]| 1505 +-------+------+-----------------------------------+-----------+ 1507 Figure 21: The Convert Error Codes 1509 9. Acknowledgements 1511 Although they could disagree with the contents of the document, we 1512 would like to thank Joe Touch and Juliusz Chroboczek whose comments 1513 on the MPTCP mailing list have forced us to reconsider the design of 1514 the solution several times. 1516 We would like to thank Raphael Bauduin, Stefano Secci, Anandatirtha 1517 Nandugudi and Gregory Vander Schueren for their help in preparing 1518 this document. Nandini Ganesh provided valuable feedback about the 1519 handling of TFO and the error codes. Thanks to them. 1521 Thanks to Yuchung Cheng and Praveen Balasubramanian for the 1522 discussion on supplying data in SYNs. 1524 This document builds upon earlier documents that proposed various 1525 forms of Multipath TCP proxies [I-D.boucadair-mptcp-plain-mode], 1526 [I-D.peirens-mptcp-transparent] and [HotMiddlebox13b]. 1528 From [I-D.boucadair-mptcp-plain-mode]: 1530 Many thanks to Chi Dung Phung, Mingui Zhang, Rao Shoaib, Yoshifumi 1531 Nishida, and Christoph Paasch for their valuable comments. 1533 Thanks to Ian Farrer, Mikael Abrahamsson, Alan Ford, Dan Wing, and 1534 Sri Gundavelli for the fruitful discussions in IETF#95 (Buenos 1535 Aires). 1537 Special thanks to Pierrick Seite, Yannick Le Goff, Fred Klamm, and 1538 Xavier Grall for their inputs. 1540 Thanks also to Olaf Schleusing, Martin Gysi, Thomas Zasowski, Andreas 1541 Burkhard, Silka Simmen, Sandro Berger, Michael Melloul, Jean-Yves 1542 Flahaut, Adrien Desportes, Gregory Detal, Benjamin David, Arun 1543 Srinivasan, and Raghavendra Mallya for the discussion. 1545 9.1. Contributors 1547 Bart Peirens contributed to an early version of the document. 1549 As noted above, this document builds on two previous documents. 1551 The authors of [I-D.boucadair-mptcp-plain-mode] were: 1553 o Mohamed Boucadair 1555 o Christian Jacquenet 1557 o Olivier Bonaventure 1559 o Denis Behaghel 1561 o Stefano Secci 1563 o Wim Henderickx 1565 o Robert Skog 1567 o Suresh Vinapamula 1569 o SungHoon Seo 1571 o Wouter Cloetens 1573 o Ullrich Meyer 1575 o Luis M. Contreras 1577 o Bart Peirens 1579 The authors of [I-D.peirens-mptcp-transparent] were: 1581 o Bart Peirens 1583 o Gregory Detal 1585 o Sebastien Barre 1587 o Olivier Bonaventure 1589 10. Change Log 1591 This section to be removed before publication. 1593 o 00 : initial version, designed to support Multipath TCP and TFO 1594 only 1596 o 00 to -01 : added section Section 5 describing the support of 1597 different standard tracks TCP options by Transport Converters, 1598 clarification of the IANA section, moved the SOCKS comparison to 1599 the appendix and various minor modifications 1601 o 01 to -02: Minor modifications 1603 o 02 to -03: Minor modifications 1605 o 03 to -04: Minor modifications 1607 o 04 to -05: Integrate a lot of feedback from implementors who have 1608 worked on client and server side implementations. The main 1609 modifications are the following : 1611 * TCP Fast Open is not strictly required anymore. Several 1612 implementors expressed concerns about this requirement. The 1613 TFO Cookie protects from some attack scenarios that affect open 1614 servers like web servers. The Convert protocol is different 1615 and as discussed in RFC7413, there are different ways to 1616 protect from such attacks. Instead of using a TFO cookie 1617 inside the TCP options, which consumes precious space in the 1618 extended TCP header, this version supports the utilisation of a 1619 Cookie that is placed in the SYN payload. This provides the 1620 same level of protection as a TFO Cookie in environments were 1621 such protection is required. 1623 * the Boostrap procedure has been simplified based on feedback 1624 from implementers 1626 * Error messages are not included in RST segments anymore but 1627 sent in the bytestream. Implementors have indicated that 1628 processing such segments on clients was difficult on some 1629 platforms. This change simplifies client implementations. 1631 * Many minor editorial changes to clarify the text based on 1632 implementors feedback. 1634 o 05 to -06: Many clarifications to integrate the comments from the 1635 chairs in preparation to the WGLC: 1637 * Updated IANA policy to require "IETF Review" instead of 1638 "Standard Action" 1640 * Call out explicilty that data in SYNs are relayed by the 1641 Converter 1643 * Reiterate the scope 1645 * Hairpinning behavior can be disabled (policy-based) 1647 * Fix nits 1649 o 07: 1651 * Update the text about supplying data in SYNs to make it clear 1652 that a constraint defined in RFC793 is relaxed folloiwng the 1653 same rationale as in RFC7413. 1655 * Nits 1657 * Added Appendix A on example Socket API changes 1659 o 08: 1661 * Added short discusion on the termination of connections 1663 11. Example Socket API Changes to Support the 0-RTT Convert Protocol 1665 11.1. Active Open (Client Side) 1667 On the client side, the support of the 0-RTT Converter protocol does 1668 not require any other changes than those identified in Appendix A of 1669 [RFC7413]. Those modifications are already supported by multiple TCP 1670 stacks. 1672 As an example, on Linux, a client can send the 0-RTT Convert message 1673 inside a SYN by using sendto with the MSG_FASTOPEN flag as shown in 1674 the example below: 1676 s = socket(AF_INET, SOCK_STREAM, 0); 1678 sendto(s, buffer, buffer_len, MSG_FASTOPEN, 1679 (struct sockaddr *) &server_addr, addr_len); 1681 The client side of the Linux TCP TFO can be used in two different 1682 modes depending on the host configuration (sysctl tcp_fastopen 1683 variable): 1685 o 0x1: (client) enables sending data in the opening SYN on the 1686 client. 1688 o 0x4: (client) send data in the opening SYN regardless of cookie 1689 availability and without a cookie option. 1691 By setting this configuration variable to 0x5, a Linux client using 1692 the above code would send data inside the SYN without using a TFO 1693 option. 1695 11.2. Passive Open (Converter Side) 1697 The Converter needs to enable the reception of data inside the SYN 1698 independently of the utilisation of the TFO option. This implies 1699 that the Transport Converter application cannot rely on the TFO 1700 cookies to validate the reachability of the IP address that sent the 1701 SYN. It must rely on other techniques, such as the Cookie TLV 1702 described in this document, to verify this reachability. 1704 [RFC7413] suggested the utilisation of a TCP_FASTOPEN socket option 1705 the enable the reception of SYNs containing data. Later, Appendix A 1706 of [RFC7413], mentionned: 1708 Traditionally, accept() returns only after a socket is connected. 1709 But, for a Fast Open connection, accept() returns upon receiving 1710 SYN with a valid Fast Open cookie and data, and the data is available 1711 to be read through, e.g., recvmsg(), read(). 1713 To support the 0-RTT Convert protocol, this behaviour should be 1714 modified as follows: 1716 Traditionally, accept() returns only after a socket is connected. 1717 But, for a Fast Open connection, accept() returns upon receiving a 1718 SYN with data, and the data is available to be read through, e.g., 1719 recvmsg(), read(). The application that receives such SYNs with data 1720 must be able to validate the reachability of the source of the SYN 1721 and also deal with replayed SYNs. 1723 The Linux server side can be configured with the following sysctls: 1725 o 0x2: (server) enables the server support, i.e., allowing data in a 1726 SYN packet to be accepted and passed to the application before 1727 3-way handshake finishes. 1729 o 0x200: (server) accept data-in-SYN w/o any cookie option present. 1731 However, this configuration is system-wide. This is convenient for 1732 typical Transport Converter deployments where no other applications 1733 relying on TFO are collocated on the same device. 1735 Recently, the TCP_FASTOPEN_NO_COOKIE socket option has been added to 1736 provide the same behaviour on a per socket basis. This enables a 1737 single host to support both servers that require the TFO cookie and 1738 servers that do not use it. 1740 12. Differences with SOCKSv5 1742 At a first glance, the solution proposed in this document could seem 1743 similar to the SOCKS v5 protocol [RFC1928] which is used to proxy TCP 1744 connections. The Client creates a connection to a SOCKS proxy, 1745 exchanges authentication information and indicates the destination 1746 address and port of the final server. At this point, the SOCKS proxy 1747 creates a connection towards the final server and relays all data 1748 between the two proxied connections. The operation of an 1749 implementation based on SOCKSv5 is illustrated in Figure 22. 1751 Client SOCKS Proxy Server 1752 --------------------> 1753 SYN 1754 <-------------------- 1755 SYN+ACK 1756 --------------------> 1757 ACK 1759 --------------------> 1760 Version=5, Auth Methods 1761 <-------------------- 1762 Method 1763 --------------------> 1764 Auth Request (unless "No auth" method negotiated) 1765 <-------------------- 1766 Auth Response 1767 --------------------> 1768 Connect Server:Port --------------------> 1769 SYN 1771 <-------------------- 1772 SYN+ACK 1773 <-------------------- 1774 Succeeded 1776 --------------------> 1777 Data1 1778 --------------------> 1779 Data1 1781 <-------------------- 1782 Data2 1783 <-------------------- 1784 Data2 1786 Figure 22: Establishment of a TCP connection through a SOCKS proxy 1787 without authentication 1789 The Convert protocol also relays data between an upstream and a 1790 downstream connection, but there are important differences with 1791 SOCKSv5. 1793 A first difference is that the Convert protocol exchanges all control 1794 information during the three-way handshake. This reduces the 1795 connection establishment delay compared to SOCKS that requires two or 1796 more round-trip-times before the establishment of the downstream 1797 connection towards the final destination. In today's Internet, 1798 latency is a important metric and various protocols have been tuned 1799 to reduce their latency [I-D.arkko-arch-low-latency]. A recently 1800 proposed extension to SOCKS also leverages the TFO option 1801 [I-D.olteanu-intarea-socks-6]. 1803 A second difference is that the Convert protocol explicitly takes the 1804 TCP extensions into account. By using the Convert protocol, the 1805 Client can learn whether a given TCP extension is supported by the 1806 destination Server. This enables the Client to bypass the Transport 1807 Converter when the destination supports the required TCP extension. 1808 Neither SOCKS v5 [RFC1928] nor the proposed SOCKS v6 1809 [I-D.olteanu-intarea-socks-6] provide such a feature. 1811 A third difference is that a Transport Converter will only accept the 1812 connection initiated by the Client provided that the downstream 1813 connection is accepted by the Server. If the Server refuses the 1814 connection establishment attempt from the Transport Converter, then 1815 the upstream connection from the Client is rejected as well. This 1816 feature is important for applications that check the availability of 1817 a Server or use the time to connect as a hint on the selection of a 1818 Server [RFC8305]. 1820 A fourth difference is that the Convert protocol only allows the 1821 client to specify the address/port of the destination server and not 1822 a DNS name. We evaluated an alternate design for the Connect TLV 1823 that included the DNS name of the remote peer instead of its IP 1824 address as in SOCKS [RFC1928]. However, that design was not adopted 1825 because it induces both an extra load and increased delays on the 1826 Transport Converter to handle and manage DNS resolution requests. 1828 13. References 1830 13.1. Normative References 1832 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 1833 RFC 793, DOI 10.17487/RFC0793, September 1981, 1834 . 1836 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1837 Requirement Levels", BCP 14, RFC 2119, 1838 DOI 10.17487/RFC2119, March 1997, 1839 . 1841 [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key 1842 Ciphersuites for Transport Layer Security (TLS)", 1843 RFC 4279, DOI 10.17487/RFC4279, December 2005, 1844 . 1846 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 1847 Architecture", RFC 4291, DOI 10.17487/RFC4291, February 1848 2006, . 1850 [RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4, 1851 ICMPv6, UDP, and TCP Headers", RFC 4727, 1852 DOI 10.17487/RFC4727, November 2006, 1853 . 1855 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 1856 Translation (NAT) Behavioral Requirements for Unicast 1857 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 1858 2007, . 1860 [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common 1861 Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007, 1862 . 1864 [RFC5482] Eggert, L. and F. Gont, "TCP User Timeout Option", 1865 RFC 5482, DOI 10.17487/RFC5482, March 2009, 1866 . 1868 [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP 1869 Authentication Option", RFC 5925, DOI 10.17487/RFC5925, 1870 June 2010, . 1872 [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, 1873 "TCP Extensions for Multipath Operation with Multiple 1874 Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013, 1875 . 1877 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 1878 A., and H. Ashida, "Common Requirements for Carrier-Grade 1879 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 1880 April 2013, . 1882 [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, 1883 "Special-Purpose IP Address Registries", BCP 153, 1884 RFC 6890, DOI 10.17487/RFC6890, April 2013, 1885 . 1887 [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., 1888 Weiler, S., and T. Kivinen, "Using Raw Public Keys in 1889 Transport Layer Security (TLS) and Datagram Transport 1890 Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, 1891 June 2014, . 1893 [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP 1894 Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, 1895 . 1897 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 1898 Writing an IANA Considerations Section in RFCs", BCP 26, 1899 RFC 8126, DOI 10.17487/RFC8126, June 2017, 1900 . 1902 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1903 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1904 May 2017, . 1906 13.2. Informative References 1908 [ANRW17] Trammell, B., Kuhlewind, M., De Vaere, P., Learmonth, I., 1909 and G. Fairhurst, "Tracking transport-layer evolution with 1910 PATHspider", Applied Networking Research Workshop 2017 1911 (ANRW17) , July 2017. 1913 [Fukuda2011] 1914 Fukuda, K., "An Analysis of Longitudinal TCP Passive 1915 Measurements (Short Paper)", Traffic Monitoring and 1916 Analysis. TMA 2011. Lecture Notes in Computer Science, vol 1917 6613. , 2011. 1919 [HotMiddlebox13b] 1920 Detal, G., Paasch, C., and O. Bonaventure, "Multipath in 1921 the Middle(Box)", HotMiddlebox'13 , December 2013, 1922 . 1925 [I-D.arkko-arch-low-latency] 1926 Arkko, J. and J. Tantsura, "Low Latency Applications and 1927 the Internet Architecture", draft-arkko-arch-low- 1928 latency-02 (work in progress), October 2017. 1930 [I-D.boucadair-mptcp-plain-mode] 1931 Boucadair, M., Jacquenet, C., Bonaventure, O., Behaghel, 1932 D., stefano.secci@lip6.fr, s., Henderickx, W., Skog, R., 1933 Vinapamula, S., Seo, S., Cloetens, W., Meyer, U., 1934 Contreras, L., and B. Peirens, "Extensions for Network- 1935 Assisted MPTCP Deployment Models", draft-boucadair-mptcp- 1936 plain-mode-10 (work in progress), March 2017. 1938 [I-D.boucadair-radext-tcpm-converter] 1939 Boucadair, M. and C. Jacquenet, "RADIUS Extensions for 1940 0-RTT TCP Converters", draft-boucadair-radext-tcpm- 1941 converter-02 (work in progress), April 2019. 1943 [I-D.boucadair-tcpm-dhc-converter] 1944 Boucadair, M., Jacquenet, C., and R. K, "DHCP Options for 1945 0-RTT TCP Converters", draft-boucadair-tcpm-dhc- 1946 converter-02 (work in progress), April 2019. 1948 [I-D.nam-mptcp-deployment-considerations] 1949 Boucadair, M., Jacquenet, C., Bonaventure, O., Henderickx, 1950 W., and R. Skog, "Network-Assisted MPTCP: Use Cases, 1951 Deployment Scenarios and Operational Considerations", 1952 draft-nam-mptcp-deployment-considerations-01 (work in 1953 progress), December 2016. 1955 [I-D.olteanu-intarea-socks-6] 1956 Olteanu, V. and D. Niculescu, "SOCKS Protocol Version 6", 1957 draft-olteanu-intarea-socks-6-06 (work in progress), March 1958 2019. 1960 [I-D.peirens-mptcp-transparent] 1961 Peirens, B., Detal, G., Barre, S., and O. Bonaventure, 1962 "Link bonding with transparent Multipath TCP", draft- 1963 peirens-mptcp-transparent-00 (work in progress), July 1964 2016. 1966 [IETFJ16] Bonaventure, O. and S. Seo, "Multipath TCP Deployment", 1967 IETF Journal, Fall 2016 , n.d.. 1969 [IMC11] Honda, K., Nishida, Y., Raiciu, C., Greenhalgh, A., 1970 Handley, M., and T. Hideyuki, "Is it still possible to 1971 extend TCP?", Proceedings of the 2011 ACM SIGCOMM 1972 conference on Internet measurement conference , 2011. 1974 [RFC1323] Jacobson, V., Braden, R., and D. Borman, "TCP Extensions 1975 for High Performance", RFC 1323, DOI 10.17487/RFC1323, May 1976 1992, . 1978 [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", 1979 RFC 1812, DOI 10.17487/RFC1812, June 1995, 1980 . 1982 [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", 1983 RFC 1919, DOI 10.17487/RFC1919, March 1996, 1984 . 1986 [RFC1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and 1987 L. Jones, "SOCKS Protocol Version 5", RFC 1928, 1988 DOI 10.17487/RFC1928, March 1996, 1989 . 1991 [RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP 1992 Selective Acknowledgment Options", RFC 2018, 1993 DOI 10.17487/RFC2018, October 1996, 1994 . 1996 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: 1997 Defeating Denial of Service Attacks which employ IP Source 1998 Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, 1999 May 2000, . 2001 [RFC3135] Border, J., Kojo, M., Griner, J., Montenegro, G., and Z. 2002 Shelby, "Performance Enhancing Proxies Intended to 2003 Mitigate Link-Related Degradations", RFC 3135, 2004 DOI 10.17487/RFC3135, June 2001, 2005 . 2007 [RFC6181] Bagnulo, M., "Threat Analysis for TCP Extensions for 2008 Multipath Operation with Multiple Addresses", RFC 6181, 2009 DOI 10.17487/RFC6181, March 2011, 2010 . 2012 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 2013 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 2014 DOI 10.17487/RFC6887, April 2013, 2015 . 2017 [RFC6928] Chu, J., Dukkipati, N., Cheng, Y., and M. Mathis, 2018 "Increasing TCP's Initial Window", RFC 6928, 2019 DOI 10.17487/RFC6928, April 2013, 2020 . 2022 [RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT 2023 Traversal", RFC 6978, DOI 10.17487/RFC6978, July 2013, 2024 . 2026 [RFC7323] Borman, D., Braden, B., Jacobson, V., and R. 2027 Scheffenegger, Ed., "TCP Extensions for High Performance", 2028 RFC 7323, DOI 10.17487/RFC7323, September 2014, 2029 . 2031 [RFC7414] Duke, M., Braden, R., Eddy, W., Blanton, E., and A. 2032 Zimmermann, "A Roadmap for Transmission Control Protocol 2033 (TCP) Specification Documents", RFC 7414, 2034 DOI 10.17487/RFC7414, February 2015, 2035 . 2037 [RFC8041] Bonaventure, O., Paasch, C., and G. Detal, "Use Cases and 2038 Operational Experience with Multipath TCP", RFC 8041, 2039 DOI 10.17487/RFC8041, January 2017, 2040 . 2042 [RFC8305] Schinazi, D. and T. Pauly, "Happy Eyeballs Version 2: 2043 Better Connectivity Using Concurrency", RFC 8305, 2044 DOI 10.17487/RFC8305, December 2017, 2045 . 2047 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2048 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 2049 . 2051 [RFC8548] Bittau, A., Giffin, D., Handley, M., Mazieres, D., Slack, 2052 Q., and E. Smith, "Cryptographic Protection of TCP Streams 2053 (tcpcrypt)", RFC 8548, DOI 10.17487/RFC8548, May 2019, 2054 . 2056 [TS23501] 3GPP (3rd Generation Partnership Project), ., "Technical 2057 Specification Group Services and System Aspects; System 2058 Architecture for the 5G System; Stage 2 (Release 16)", 2059 2019, . 2062 Authors' Addresses 2064 Olivier Bonaventure (editor) 2065 Tessares 2067 Email: Olivier.Bonaventure@tessares.net 2069 Mohamed Boucadair (editor) 2070 Orange 2072 Email: mohamed.boucadair@orange.com 2073 Sri Gundavelli 2074 Cisco 2076 Email: sgundave@cisco.com 2078 SungHoon Seo 2079 Korea Telecom 2081 Email: sh.seo@kt.com 2083 Benjamin Hesmans 2084 Tessares 2086 Email: Benjamin.Hesmans@tessares.net